This edition brings you early warnings, trending news about cyber threats, and the accurate threat context. Check out which threat group is on the rampage, what vulnerability it could soon weaponize, and more.
Why play catch up when you can fix this now?
Check out our Threat Intelligence Podcast hosted by David Rushton!
- Scattered Spider Exploits Windows Security Deficiencies in Latest Campaign
- Lorenz Ransomware Gang Installs Backdoors
- New APT Group: Dark Pink
- Kinsing Malware Employs Initial Access Techniques in Kubernetes Environments
- CISA Adds 2 New CVEs to the KEV Catalog
- Microsoft Fixes 93 Vulnerabilities in Patch Tuesday
Vulnerabilities to Watch Out For
Scattered Spider Exploits Windows Security Deficiencies in Latest Campaign
Scattered Spider has been targeting theBPO and telecom industry since June 2022. In December 2022, they began a new campaign exploiting Windows Security Deficiencies with a Bring-Your-Own-Vulnerable-Driver (BYOVD) tactic in an attempt to bypass endpoint security. The group deploys a malicious kernel driver through a vulnerability (CVE-2015-2291) in the Intel Ethernet diagnostics driver. The driver used by Scattered Spider is a small 64-bit kernel driver with 35 functions, signed by different certificates stolen from signing authorities like NVIDIA and Global Software LLC, so Windows doesn’t block it. The BYOVD technique allows publicly available tools, such as KDMapper, to map non-signed drivers into memory.
CVE-2015-2291 was fixed in 2015. However, by planting an older, still vulnerable version on the breached devices, the threat actors can leverage the flaw no matter what updates the victim has applied to the system.
Lorenz Ransomware Gang Installs Backdoors
The Lorenz ransomware gang is employing a new technique in their attacks. They are exploiting Mitel VoIP zero-days to install malicious webshells. These webshells contain backdoors and remain in the victims’ system for a long while and the gang returns after several months to launch the ransomware attack. CVE-2022-29499 is the latest of vulnerabilities to be exploited. It could lead to remote code execution (RCE) when exploited. Most of the backdoors deployed using the zero-days can be exploited even after the vulnerabilities are patched. In a recent attack, the gang deployed backdoors five months prior to the ransomware attack.
This teaches the importance of attack surface management which can help identify malicious files in the network and eliminate them.
New APT Group: Dark Pink
This APT group has been active since mid-2021 in the APAC region and occasionally in Europe. They employ spear phishing techniques to initially compromise a victim’s network. It seems that the group is also using a new set of tactics, techniques, and procedures rarely utilized by previously known APT groups. These include a custom toolkit featuring TelePowerBot, KamiKakaBot and Cucky and Ctealer information stealers. Further, Dark Pink can also infect USB devices attached to compromised computers. They execute malicious files using a file type association and DLL Side-Loading. Dark Pink’s intent behind the attacks is cyber-espionage as they have attacked governmental and military entities.
CVE-2017-0199 is a CVE that Dark Pink has exploited in their attacks.
Kinsing Malware Employs Initial Access Techniques in Kubernetes Environments
Kinsing malware is using new methods to target Kubernetes clusters: exploitation of weakly configured PostgreSQL containers and exploiting vulnerable images. In the first method, a misconfigured and exposed PostgreSQL server is used to run a malicious payload. The ‘trust authentication’ setting, when improperly configured, can open attackers to several options such as brute force on the Postgresql accounts, attacking the container availability with DoS and DDoS attacks, and trying to exploit the container and the DB itself.
Kinsing malware also uses images vulnerable to remote code execution in the container to run their malicious payload. Some of the popular applications that are exploited are PHP Unit, Liferay, WebLogic, and WordPress. CVE-2020-14882, CVE-2020-14750, CVE-2020-14883, CVE-2021-44228, and CVE-2022-26134 are some of the CVEs that Kinsing exploits.
CISA Adds 2 New CVEs to the KEV Catalog
On January 10, 2023, CISA included CVE-2022-41080 and CVE-2023-21674 in the Known Exploited Vulnerabilities (KEV) catalog.
CVE-2022-41080 is a Microsoft Exchange elevation of privileges bug that can be chained with the CVE-2022-41082 ProxyNotShell bug to gain remote code execution. The Play ransomware group exploited it as a zero-day to bypass Microsoft’s ProxyNotShell URL rewrite mitigations and escalate permissions on compromised Exchange servers.
CVE-2023-21674 is another zero-day in Microsoft’s Windows Advanced Local Procedure Call (ALPC). It is a privilege escalation flaw and is actively exploited in attacks. It was patched in January’s Patch Tuesday.
Microsoft Fixes 93 Vulnerabilities in Patch Tuesday
Among the vulnerabilities that Microsoft patched on Jan 10, 2023, is an actively exploited zero-day CVE-2023-21674. In summary, Microsoft fixed:
- 39 Elevation of Privilege Vulnerabilities
- 4 Security Feature Bypass Vulnerabilities
- 33 Remote Code Execution Vulnerabilities
- 10 Information Disclosure Vulnerabilities
- 10 Denial of Service Vulnerabilities
- 2 Spoofing Vulnerabilities
CVE-2023-21674 is a sandbox escape vulnerability that can lead to the elevation of privileges to the system. CVE-2023-21549 is a Windows SMB Witness Service Elevation of Privilege Vulnerability that was publicly disclosed.
Microsoft users are recommended to apply these patches at the earliest.
Vulnerabilities to Watch Out For
CVE-2022-44877: Centos Web Panel Vulnerability
A new vulnerability tracked as CVE-2022-44877 has been identified in Centos Web Panel 7. The vulnerability could be exploited to gain remote code execution capabilities. It is yet to be assigned a CVSS score. You can find the proof of concept for it here.
Update: Hackers have been actively exploiting this vulnerability and deploying webshells for more than 2 weeks now. They have used this vulnerability to deploy webshells with malicious payloads in CWP servers. More than 400,000 CWP instances are accessible over the internet. The encoded payloads convert to Python commands that call the attacker’s machine and spawn a terminal on the vulnerable host using the Python pty Module.
Web Panel users are recommended to update to the latest version immediately.
CVE-2022-46169: Cacti Command Injection Vulnerability
CVE-2022-46169 is a command injection vulnerability that allows an unauthenticated user to execute arbitrary code on a server running Cacti. That is, if a specific data source was selected for any monitored device. The security advisory offers remediation steps to avoid falling victim to exploitation.
Update: Hackers are actively exploiting this vulnerability and there are more than 1600 instances of the Cacti device exposed to the internet. Mirai botnets are installed using this vulnerability along with the IRC botnet (PERL-based) that opens a reverse shell on the host and instructs it to run port scans.
CVE-2022-23529: JsonWebToken Vulnerability
The CVE-2022-23529 vulnerability is found in the JsonWebToken open source project. It is used for authentication and authorization in many applications. An attacker exploiting this vulnerability can arbitrarily execute code in a server by verifying a maliciously crafted JSON web token (JWT) request. To patch this vulnerability, a user needs to update to the JsonWebToken package version 9.0.0.
CVE-2022-43473: ManageEngine XXE Injection Flaw
This XML External Entity (XXE) vulnerability exists in the UCS module in OpManager. Exploiting XMLs with vulnerable XML entities can lead to the access of restricted resources. ManageEngine released the patch for CVE-2022-43473 wherein you disable XML entities when parsing XML responses, so XML entities are not invoked.
OpManager users are required to apply this patch immediately.
Follow our weekly Threat Intelligence Series and podcast for proactive alerts on trending threats.